Analysis
-
max time kernel
152s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
09-12-2022 15:06
General
-
Target
fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd.exe
-
Size
669KB
-
MD5
489e246b8f55137cd70e4b2d718ff85f
-
SHA1
444e3fd11ac385ab333db41420e5c4fd2e47a5ba
-
SHA256
fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd
-
SHA512
25301655af73d40156d5761883198e519887d6dd24c282602a43cba8d029e108a26a29fa9b99e80c559a2916e311a6726dfbe8ef43c75dac503a3d33fa8464f7
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DRKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWMKrKe
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">28456F4D96133EEF4E4CC4E2DF4658667153AE728F213EBDDCA7C4A69E9AE9F5A6EA43C44BBD1DDEE3ED4811EE8102AC70B8F0D99E2F0621A9A3A4C0A5936FB5<br>6DF405AECC1DBB2467C4731B9270AA5B25806D619755775D16C93DEBA81CCF6A4B2D7281CDD71D086D096E64B8AB15C4CD9F927AD92B09F7086F7559A439<br>FF03C1A7040219184386E914535EFC8A164B1784823229BA0BB437D58D4DCF63F697EA1710B6F9BC13D51ED5421A95AD4C0CFF25CD98893291FF392DFC80<br>0032067E058DC83CB8EA3C73657B973F6292BD6F1668D991068A98D44792F1FA755418579A09AE7C7CE32355555EBE858FDA80264617D2662B1DBE96640C<br>2032E8C2F273DEADE3CC5478D358101D2512A8EAFE8F4A49B887791913B4D27BA003C0234393A287D3B3E37B8D149FCEB0575061AD51ED94733FE90BD6B3<br>FA482F1A9CFCCC4111F3FECB472762379A5282E7327689A62D602BAD8B52178C79B2116278FE9964062AD142D1BA2CBE983CBB1717D3C5022E045E873BCD<br>0D86DB2FF765F9B9EC15A980CEFA59D12178F8A9250528510BD47EFD0265C2C636C44200EFF116467D545CCF37BA315D11E98BE2D922F3B2A31FF9B8FC4B<br>A962E6E874B604261C5C5488FF6B7C8AAC4DC481E920B90F31DFDB69FF53CC3938F0709B921B681A446F723EAD1DBB59F412D41D0F80EBD5CC11842E9AF4<br>E324894FF59553D17EE3CD34541B</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br>
<a href="ithelp02@wholeness.business ">ithelp02@wholeness.business </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
href="ithelp02@decorous.cyou
">ithelp02@decorous.cyou
href="ithelp02@wholeness.business
">ithelp02@wholeness.business
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd.exe"C:\Users\Admin\AppData\Local\Temp\fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
669KB
MD5489e246b8f55137cd70e4b2d718ff85f
SHA1444e3fd11ac385ab333db41420e5c4fd2e47a5ba
SHA256fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd
SHA51225301655af73d40156d5761883198e519887d6dd24c282602a43cba8d029e108a26a29fa9b99e80c559a2916e311a6726dfbe8ef43c75dac503a3d33fa8464f7
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
669KB
MD5489e246b8f55137cd70e4b2d718ff85f
SHA1444e3fd11ac385ab333db41420e5c4fd2e47a5ba
SHA256fc0f65213e7ad5960378433efc55642c116c750e10cb881ed7297f361b6be7dd
SHA51225301655af73d40156d5761883198e519887d6dd24c282602a43cba8d029e108a26a29fa9b99e80c559a2916e311a6726dfbe8ef43c75dac503a3d33fa8464f7
-
memory/2200-133-0x0000000000000000-mapping.dmp
-
memory/3504-134-0x0000000000000000-mapping.dmp
-
memory/4612-132-0x0000000000000000-mapping.dmp